ctyano · ctyano · Sep 18, 2025 · Sep 18, 2025 · Sep 18, 2025 · Sep 18, 2025
diff --git a/Makefile b/Makefile
@@ -25,59 +25,72 @@ LDFLAGS_ARGS += -X 'main.BUILD_DATE=$(shell date '+%Y-%m-%dT%H:%M:%S%Z%z')'
 endif
 ifneq ($(DEFAULT_OIDC_CLIENT_ID),)
 LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/oidc.DEFAULT_OIDC_CLIENT_ID=$(DEFAULT_OIDC_CLIENT_ID)'
-else
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/oidc.DEFAULT_OIDC_CLIENT_ID=athenz-user-cert'
 endif
 ifneq ($(DEFAULT_OIDC_CLIENT_SECRET),)
 LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/oidc.DEFAULT_OIDC_CLIENT_SECRET=$(DEFAULT_OIDC_CLIENT_SECRET)'
-else
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/oidc.DEFAULT_OIDC_CLIENT_SECRET=athenz-user-cert'
 endif
 ifneq ($(DEFAULT_OIDC_ISSUER),)
 LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/oidc.DEFAULT_OIDC_ISSUER=$(DEFAULT_OIDC_ISSUER)'
-else
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/oidc.DEFAULT_OIDC_ISSUER=http://127.0.0.1:5556/dex'
 endif
 ifneq ($(DEFAULT_OIDC_LISTEN_ADDRESS),)
 LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/oidc.DEFAULT_OIDC_LISTEN_ADDRESS=$(DEFAULT_OIDC_LISTEN_ADDRESS)'
-else
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/oidc.DEFAULT_OIDC_LISTEN_ADDRESS=":8080"'
 endif
 ifneq ($(DEFAULT_OIDC_SCOPES),)
 LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/oidc.DEFAULT_OIDC_SCOPES=$(DEFAULT_OIDC_SCOPES)'
-else
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/oidc.DEFAULT_OIDC_SCOPES="openid\ email\ profile"'
 endif
 ifneq ($(DEFAULT_OIDC_ACCESS_TOKEN_PATH),)
 LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/oidc.DEFAULT_OIDC_ACCESS_TOKEN_PATH=$(DEFAULT_OIDC_ACCESS_TOKEN_PATH)'
-else
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/oidc.DEFAULT_OIDC_ACCESS_TOKEN_PATH=.athenz/.accesstoken'
 endif
 
-ifneq ($(DEFAULT_CRYPKI_VALIDITY),)
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_CRYPKI_VALIDITY=$(DEFAULT_CRYPKI_VALIDITY)'
-else
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_CRYPKI_VALIDITY=2592000' # 30 * 24 * 60 * 60 seconds
+ifneq ($(DEFAULT_SIGNER_CRYPKI_SIGN_URL),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_CRYPKI_SIGN_URL=$(DEFAULT_SIGNER_CRYPKI_SIGN_URL)'
 endif
-ifneq ($(DEFAULT_CRYPKI_IDENTIFIER),)
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_CRYPKI_IDENTIFIER=$(DEFAULT_CRYPKI_IDENTIFIER)'
-else
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_CRYPKI_IDENTIFIER=athenz'
+ifneq ($(DEFAULT_SIGNER_CRYPKI_CA_URL),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_CRYPKI_CA_URL=$(DEFAULT_SIGNER_CRYPKI_CA_URL)'
 endif
-ifneq ($(DEFAULT_CRYPKI_TIMEOUT),)
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_CRYPKI_TIMEOUT=$(DEFAULT_CRYPKI_TIMEOUT)'
-else
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_CRYPKI_TIMEOUT=10' # seconds
+ifneq ($(.DEFAULT_SIGNER_CRYPKI_VALIDITY),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_CRYPKI_VALIDITY=$(.DEFAULT_SIGNER_CRYPKI_VALIDITY)'
 endif
-ifneq ($(DEFAULT_CRYPKI_ALGORITHM),)
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_CRYPKI_ALGORITHM=$(DEFAULT_CRYPKI_ALGORITHM)'
-else
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_CRYPKI_ALGORITHM=RSA'
+ifneq ($(.DEFAULT_SIGNER_CRYPKI_IDENTIFIER),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_CRYPKI_IDENTIFIER=$(.DEFAULT_SIGNER_CRYPKI_IDENTIFIER)'
 endif
-ifneq ($(DEFAULT_CRYPKI_ALGORITHM),)
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_CFSSL_TIMEOUT=$(DEFAULT_CFSSL_TIMEOUT)'
-else
-LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_CFSSL_TIMEOUT=RSA'
+ifneq ($(.DEFAULT_SIGNER_CRYPKI_TIMEOUT),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_CRYPKI_TIMEOUT=$(.DEFAULT_SIGNER_CRYPKI_TIMEOUT)'
+endif
+
+ifneq ($(DEFAULT_SIGNER_CFSSL_SIGN_URL),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_CFSSL_SIGN_URL=$(DEFAULT_SIGNER_CFSSL_SIGN_URL)'
+endif
+ifneq ($(DEFAULT_SIGNER_CFSSL_CA_URL),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_CFSSL_CA_URL=$(DEFAULT_SIGNER_CFSSL_CA_URL)'
+endif
+ifneq ($(.DEFAULT_SIGNER_CFSSL_TIMEOUT),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_CFSSL_TIMEOUT=$(.DEFAULT_SIGNER_CFSSL_TIMEOUT)'
+endif
+
+ifneq ($(DEFAULT_SIGNER_VAULT_JWT_ROLE),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_VAULT_JWT_ROLE=$(DEFAULT_SIGNER_VAULT_JWT_ROLE)'
+endif
+ifneq ($(DEFAULT_SIGNER_VAULT_PKI_NAME),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_VAULT_PKI_NAME=$(DEFAULT_SIGNER_VAULT_PKI_NAME)'
+endif
+ifneq ($(DEFAULT_SIGNER_VAULT_PKI_ROLE),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_VAULT_PKI_ROLE=$(DEFAULT_SIGNER_VAULT_PKI_ROLE)'
+endif
+ifneq ($(DEFAULT_SIGNER_VAULT_SIGN_URL),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_VAULT_SIGN_URL=$(DEFAULT_SIGNER_VAULT_SIGN_URL)'
+endif
+ifneq ($(DEFAULT_SIGNER_VAULT_CA_URL),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_VAULT_CA_URL=$(DEFAULT_SIGNER_VAULT_CA_URL)'
+endif
+ifneq ($(DEFAULT_SIGNER_VAULT_ISSUER_REF),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_VAULT_ISSUER_REF=$(DEFAULT_SIGNER_VAULT_ISSUER_REF)'
+endif
+ifneq ($(DEFAULT_SIGNER_VAULT_TTL),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_VAULT_TTL=$(DEFAULT_SIGNER_VAULT_TTL)'
+endif
+ifneq ($(DEFAULT_SIGNER_VAULT_TIMEOUT),)
+LDFLAGS_ARGS += -X '$(APP_REPO_URL)/pkg/signer.DEFAULT_SIGNER_VAULT_TIMEOUT=$(DEFAULT_SIGNER_VAULT_TIMEOUT)'
 endif
 
 ifneq ($(LDFLAGS_ARGS),)

diff --git a/cmd/main.go b/cmd/main.go
@@ -51,7 +51,7 @@ Options:
 	}
 
 	// Parse argument flags
-	signerName := flag.String("signer", DEFAULT_SIGNER_NAME, "Name for the certificate signer product (\"crypki\" or \"cfssl\")")
+	signerName := flag.String("signer", DEFAULT_SIGNER_NAME, "Name for the certificate signer product (\"crypki\", \"cfssl\" or \"vault\")")
 	signerURL := flag.String("sign-url", "", "Target destination URL to send the certificate sign request (leave it empty to use default)")
 	caURL := flag.String("ca-url", "", "Target destination URL to retrieve the ca certificate (leave it empty to use default)")
 
@@ -115,6 +115,13 @@ Options:
 		if *caURL == "" {
 			*caURL = signer.DEFAULT_SIGNER_CFSSL_CA_URL
 		}
+	case "vault":
+		if *signerURL == "" {
+			*signerURL = signer.DEFAULT_SIGNER_VAULT_SIGN_URL
+		}
+		if *caURL == "" {
+			*caURL = signer.DEFAULT_SIGNER_VAULT_CA_URL
+		}
 	}
 	if *debug {
 		fmt.Printf("Signer URL is set as:%s\n", *signerURL)
@@ -165,6 +172,35 @@ Options:
 		if *debug {
 			fmt.Printf("CA certificate:\n%s\n", cacert)
 		}
+	case "vault":
+		err, vaulttoken := signer.GetVaultToken(signer.DEFAULT_SIGNER_VAULT_JWT_LOGIN_URL, signer.DEFAULT_SIGNER_VAULT_JWT_ROLE, accesstoken, nil)
+		if err != nil {
+			fmt.Printf("Failed to get vault token: %s\n", err)
+			os.Exit(1)
+		}
+		if *debug {
+			fmt.Printf("Vault Token retrieved Successfully:\n%s\n", vaulttoken)
+		}
+		err, cert = signer.SendVaultCSR(*commonName, *signerURL, csr, &map[string][]string{
+			"X-Vault-Token": []string{vaulttoken},
+		})
+		if err != nil {
+			fmt.Printf("Failed to get signed certificate: %s\n", err)
+			os.Exit(1)
+		}
+		if *debug {
+			fmt.Printf("Signed certificate:\n%s\n", cert)
+		}
+		err, cacert = signer.GetVaultRootCA(false, *caURL, &map[string][]string{
+			"X-Vault-Token": []string{vaulttoken},
+		})
+		if err != nil {
+			fmt.Printf("Failed to get ca certificate: %s\n", err)
+			os.Exit(1)
+		}
+		if *debug {
+			fmt.Printf("CA certificate:\n%s\n", cacert)
+		}
 	}
 
 	keyPEM, err := certificate.PrivateKeyToPEM(*key)

diff --git a/cmd/test.go b/cmd/test.go
@@ -34,6 +34,13 @@ func ExecuteTestCommand(arg []string, testFlagSet *flag.FlagSet) {
 		if *caURL == "" {
 			*caURL = signer.DEFAULT_SIGNER_CFSSL_CA_URL
 		}
+	case "vault":
+		if *signerURL == "" {
+			*signerURL = signer.DEFAULT_SIGNER_CFSSL_SIGN_URL
+		}
+		if *caURL == "" {
+			*caURL = signer.DEFAULT_SIGNER_CFSSL_CA_URL
+		}
 	}
 	if *debug {
 		fmt.Printf("Signer URL is set as:%s\n", *signerURL)
@@ -52,6 +59,12 @@ func ExecuteTestCommand(arg []string, testFlagSet *flag.FlagSet) {
 			fmt.Printf("Failed to get ca certificate: %s\n", err)
 			os.Exit(1)
 		}
+	case "vault":
+		err, _ := signer.GetVaultRootCA(true, *caURL, &map[string][]string{})
+		if err != nil {
+			fmt.Printf("Failed to get ca certificate: %s\n", err)
+			os.Exit(1)
+		}
 	}
 	fmt.Printf("%s test complete\n", DEFAULT_APP_NAME)
 }
diff --git a/cmd/version.go b/cmd/version.go
@@ -42,4 +42,14 @@ func ExecuteVersionCommand(arg []string, versionFlagSet *flag.FlagSet) {
 	fmt.Printf("    CLI X.509 Certificate Signer URL: %s\n", signer.DEFAULT_SIGNER_CFSSL_SIGN_URL)
 	fmt.Printf("    CLI X.509 Certificate CA URL: %s\n", signer.DEFAULT_SIGNER_CFSSL_CA_URL)
 	fmt.Printf("    CLI X.509 Certificate Request Timeout: %s seconds\n", signer.DEFAULT_SIGNER_CFSSL_TIMEOUT)
+	fmt.Printf("  CLI X.509 configuration for Vault:\n")
+	fmt.Printf("    CLI X.509 Certificate Login URL: %s\n", signer.DEFAULT_SIGNER_VAULT_JWT_LOGIN_URL)
+	fmt.Printf("    CLI X.509 Certificate Login JWT Role: %s\n", signer.DEFAULT_SIGNER_VAULT_JWT_ROLE)
+	fmt.Printf("    CLI X.509 Certificate PKI Name: %s\n", signer.DEFAULT_SIGNER_VAULT_PKI_NAME)
+	fmt.Printf("    CLI X.509 Certificate PKI Role: %s\n", signer.DEFAULT_SIGNER_VAULT_PKI_ROLE)
+	fmt.Printf("    CLI X.509 Certificate Signer URL: %s\n", signer.DEFAULT_SIGNER_VAULT_SIGN_URL)
+	fmt.Printf("    CLI X.509 Certificate CA URL: %s\n", signer.DEFAULT_SIGNER_VAULT_CA_URL)
+	fmt.Printf("    CLI X.509 Certificate Issuer Reference: %s\n", signer.DEFAULT_SIGNER_VAULT_ISSUER_REF)
+	fmt.Printf("    CLI X.509 Certificate TTL: %s\n", signer.DEFAULT_SIGNER_VAULT_TTL)
+	fmt.Printf("    CLI X.509 Certificate Request Timeout: %s seconds\n", signer.DEFAULT_SIGNER_VAULT_TIMEOUT)
 }
diff --git a/pkg/oidc/accesstoken.go b/pkg/oidc/accesstoken.go
@@ -45,11 +45,8 @@ func getCachedAccessToken(debug bool) (string, error) {
 	validity, _ := strconv.Atoi(strings.TrimSpace(DEFAULT_OIDC_ACCESS_TOKEN_VALIDITY))
 	if expired, err := isCacheFileExpired(accessTokenFile, float64(validity), debug); !expired && err == nil {
 		data, err := os.ReadFile(accessTokenFile)
-		if err != nil {
-			return "", fmt.Errorf("could not read the cache file, error: %v", err)
-		}
-		if expired {
-			return "", fmt.Errorf("access Token has expired")
+		if err != nil || expired {
+			return "", err
 		}
 		return strings.TrimSpace(string(data)), nil
 	} else {
@@ -64,8 +61,10 @@ func isCacheFileExpired(filename string, maxAge float64, debug bool) (bool, erro
 	}
 	delta := time.Since(info.ModTime())
 	// return false if duration exceeds maxAge
-	expired := delta.Minutes() > maxAge
-	return expired, nil
+	if expired := delta.Minutes() > maxAge; expired {
+		return expired, fmt.Errorf("access token has expired")
+	}
+	return false, nil
 }
 
 func createCacheDir(dirname string, debug bool) (bool, error) {
@@ -111,7 +110,7 @@ func GetOIDCDiscovery(debug *bool) (string, string, error) {
 func GetAuthAccessToken(responseMode *string, debug *bool) (string, error) {
 	accessToken, err := getCachedAccessToken(*debug)
 	if *debug && err != nil {
-		fmt.Printf("Failed get cached access token: %s", err)
+		fmt.Printf("Failed get cached access token: %s\n", err)
 	}
 	if accessToken != "" {
 		return accessToken, err

diff --git a/pkg/signer/crypki.go b/pkg/signer/crypki.go
@@ -14,7 +14,7 @@ import (
 var (
 	DEFAULT_SIGNER_CRYPKI_SIGN_URL   = "http://localhost:10000/v3/sig/x509-cert/keys/x509-key"
 	DEFAULT_SIGNER_CRYPKI_CA_URL     = "http://localhost:10000/v3/sig/x509-cert/keys/x509-key"
-	DEFAULT_SIGNER_CRYPKI_VALIDITY   = "2592000" // 30 * 24 * 60 * 60, 30 days in seconds
+	DEFAULT_SIGNER_CRYPKI_VALIDITY   = "43200" // 30 * 24 * 60, 1 hour in seconds
 	DEFAULT_SIGNER_CRYPKI_IDENTIFIER = "athenz"
 	DEFAULT_SIGNER_CRYPKI_TIMEOUT    = "10" // in seconds
 )